An access control list ( ACL ), in connection with the computer's file system, is a list of permissions attached to an object. The ACL specifies which user or system process is granted access to the object, as well as what operations are allowed on the given object. Each entry in a common ACL determines the subject and operation. For example, if the file object has an ACL containing (Alice: read, write; Bob: read) , this will give Alice permission to read and write the file and Bob to just read it.
Video Access control list
Implementations
Many types of systems implement ACLs, or have historical implementations.
ACLs File System
A ACL filesystem is a data structure (usually a table) that contains entries that specify individual user or group privileges for certain system objects such as programs, processes, or files. These entries are known as access control entries (ACE) in Microsoft Windows NT, OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier for its ACL. Privileges or permissions specify specific permissions, such as whether the user can read, write, or execute objects. In some implementations, ACE can control whether or not a user, or user group, can change an ACL on an object.
Most Unix and Unix-like operating systems (eg Linux, BSD, or Solaris) support POSIX.1e ACLs, based on the early POSIX draft drawn in 1997. Many of them, for example AIX, FreeBSD, Mac OS X start with version 10.4 ("Tiger"), or Solaris with the ZFS file system, supports NFSv4 ACL, which is part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACL for Linux: NFSv4 ACLs support for the newer Ext3 and Richacls filesystems, which brings NFSv4 ACL support to the Ext4 file system.
PRIMOS displays ACLs since at least 1984.
In the 1990s the ACL and RBAC models were extensively tested and used to manage file permissions.
ACL Network
On some types of proprietary computer hardware (especially routers and switches), access control lists provide rules applied to port numbers or IP addresses available on hosts or other layers 3, each with a list of hosts and/or networks allowed to use the service this. While it is also possible to configure access control lists based on network domain names, this is a questionable idea because individual TCP, UDP, and ICMP headers do not contain a domain name. As a result, devices enforcing access control lists must separately resolve names to numerical addresses. This presents an additional attack surface for attackers looking for system security compromises that are protected by access control lists. Both individual servers and routers can have network ACLs. Access control lists can generally be configured to control incoming and outgoing traffic, and in this context they are similar to firewalls. Like firewalls, ACLs may be subject to safety rules and standards such as PCI DSS.
SQL Implementation
The ACL algorithm has been ported to SQL and to the relational database system. Many "modern" (2000 and 2010) SQL-based systems, such as enterprise resource planning and content management systems, have used the ACL model in their administrative modules.
Maps Access control list
Compare with RBAC
The main alternative to the ACL model is the role-based access control model (RBAC). The "Minimum RBAC Model", RBACm , can be compared to the ACL mechanism, ACLg , where only groups are allowed as entries in the ACL. Barkley (1997) shows that RBACm and ACLg are equivalent.
In modern SQL implementations, ACLs also manage groups and inheritance in group hierarchies. So the "modern ACL" can express all that RBAC express, and is very powerful (compared to "old ACL") in their ability to express access control policy in terms of how administrators view the organization.
For data exchange, and for "high-level comparisons", ACL data can be translated to XACML.
See also
- Cacls
- Capability-based security
- List-C
- The confusing deputies issue
- DACL
- Race-based access control (RBAC)
References
Further reading
Source of the article : Wikipedia
0 Comments